datocp
254 天前
可以修改/etc/sysctl.d ,参考一下 timeout 设定,这些控制连接何时消亡,太大连接一直在,太小影响网络稳定,要设得刚刚好
# cat /proc/net/nf_conntrack|wc -l
920
/etc/sysctl.d# cat *.conf
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.core.bpf_jit_enable=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=600
net.netfilter.nf_conntrack_udp_timeout=65
net.netfilter.nf_conntrack_udp_timeout_stream=120
#dato add sysctl -w sysctl -p
#sysctl net.core.somaxconn
#sysctl -w net.core.somaxconn=2048
net.ipv4.tcp_max_syn_backlog=2048
#1/2/4/8/16s 2=1+2+4
#net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries=2
net.core.somaxconn=2048
#/proc/sys/net/netfilter/nf_conntrack_*
net.netfilter.nf_conntrack_generic_timeout=600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent=120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close=10
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_last_ack=30
#
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1